H.323 Proxy/Gatekeepers and Firewalls

Discussion in 'Cisco' started by Matthew Melbourne, Jan 21, 2004.

  1. How do organisations implement H.323 Proxies and Gatekeepers (e.g. Cisco
    IOS MCM) alongside firewalls?

    Since the H.323 protocol is not particularly firewall-friendly, one
    solution is to place a H.323 Proxy/GK (e.g. a router running the Cisco IOS
    MCM code) in parallel with a firewall. Suitable access-lists on the Cisco
    IOS MCM router can prevent traffic being routed through the device, but
    the fact that it straddles the firewall does not, perhaps justifiably, sit
    comfortably with some IT administrators.

    Another option is to place the Proxy/GK with one interface on the internal
    ('trusted') network, so VC endpoints can register directly with the GK,
    without the traffic passing through the firewall, and place the H.323
    proxied interface in a DMZ. Static address translation is then used
    between the DMZ and the External network on the firewall. This assumes
    that the firewall has the ability to inspect the H.323 call setup and
    control functions (e.g. PIX H.323 fixups) and can correctly NAT the
    inbound and outbound traffic).

    A further enhancement might be to place both 'internal' and 'external'
    H.323 Proxy/GK interfaces on different DMZs, but this could mean H.323
    traffic passing through the firewall twice.

    Having H.323 traffic pass through firewalls also highlights the issue of
    QoS, as many firewalls are simple first-in-first-out devices and may not
    honour QoS classifications. This is not an issue for an H.323 Proxy/GK
    connected in parallel with the firewall, but can this solution be
    implemented in a secure manner?

    Cheers,

    Matt

    --
    Matthew Melbourne
     
    Matthew Melbourne, Jan 21, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frank Kim
    Replies:
    0
    Views:
    657
    Frank Kim
    Jul 30, 2004
  2. Replies:
    1
    Views:
    3,019
  3. chellappa

    Inbound Proxy and Outbound Proxy

    chellappa, Apr 7, 2006, in forum: VOIP
    Replies:
    0
    Views:
    2,473
    chellappa
    Apr 7, 2006
  4. James Sleeman
    Replies:
    12
    Views:
    924
    joe_90
    Sep 19, 2004
  5. Replies:
    1
    Views:
    1,708
    alexd
    Feb 25, 2009
Loading...

Share This Page